Grcim Oracle Security Admin Audit Plan

OIC GRCIM
AU.040 ORACLE SECURITY ADMINISTRATION AUDIT

PLAN
CLIENT
ORACLE E-BUSINESS SUITE RELEASE 12.1.1
ORACLE SECURITY ADMINISTRATION AUDIT WORK
PLAN
Author - Roger Drolet, CPA, MBA, CISA, CITP

Creation Date: 6-July-2010
Last Updated: 07-Sep-2010
Control Ref: grcim_au040_oracle_sec_admin_audit_plan
Version: 1.0
Contents
Document Control........................................................................................................................................... 3
Change Record........................................................................................................................................... 3
Reviewers................................................................................................................................................... 3
Distribution.................................................................................................................................................. 3
Using the BR.030 Business Requirements Mapping (BRM) Form.................................................................4
GRC Requirements for SOD and Access Controls.........................................................................................5
Business Processes: Using Access Controls and Segregation of Duties in AACG 8.5..................................6
Mapping Source Introduction 1.0...............................................................................................................7
Business Requirements, Mapping and Process Steps...............................................................................7
Proposed Solution Introduction 1.0...........................................................................................................21
Best Practices............................................................................................................................................. 21
Lessons Learned......................................................................................................................................... 21
Related Information..................................................................................................................................... 21
Mapping Solution Introduction 1.0.............................................................................................................22
Workaround................................................................................................................................................. 22
Application Enhancement........................................................................................................................... 22
Reengineering Opportunity......................................................................................................................... 22
Solution Design Document Reference........................................................................................................22
Custom Report............................................................................................................................................ 22
Interface...................................................................................................................................................... 22
Customization............................................................................................................................................. 22
Mapping Source Creating Access Policies 2.0...........................................................................................23
Business Requirements Mapping and Process Steps................................................................................24
Proposed Solution Creating Access Policies 2.0......................................................................................65
Best Practices............................................................................................................................................. 65
Lessons Learned......................................................................................................................................... 65
Mapping Solution Creating Access Policies 2.0........................................................................................67
Workaround................................................................................................................................................. 67
Custom Report............................................................................................................................................ 67
Interface...................................................................................................................................................... 67
Customization............................................................................................................................................. 67
Mapping Source Finding and Resolving Conflicts 3.0................................................................................68
Proposed Solution Finding and Resolving Conflicts 3.0...........................................................................110
Best Practices............................................................................................................................................. 110
Lessons Learned......................................................................................................................................... 110
Mapping Solution Finding and Resolving Conflicts 3.0.............................................................................112
Workaround................................................................................................................................................. 112
Copyright Oracle Independent Consultants (OIC) LLC, 2008. All rights reserved.
grcim_aacg_br030_access_controls_and_sod
Page 2 of 7
Rev 1.0
Custom Report............................................................................................................................................ 112

Interface...................................................................................................................................................... 112
Customization............................................................................................................................................. 112
Mapping Source Reporting 4.0..................................................................................................................113
Best Practices............................................................................................................................................. 148
Lessons Learned......................................................................................................................................... 148
Related Documents..................................................................................................................................... 148
Workaround................................................................................................................................................. 149
Custom Report............................................................................................................................................ 149
Interface...................................................................................................................................................... 149
Customization............................................................................................................................................. 149
Open Issues................................................................................................................................................ 150
Closed Issues.............................................................................................................................................. 150
Page 3 of 7
Rev 1.0
Document Control
Change Record
10
Date
Author
Rel
Change Reference
07-Sep-10
Roger Drolet
1.0
No previous document
Reviewers
Name
Position
Distribution
Copy
No.
Name
Location
1
2
3
4
Page 4 of 7
Rev 1.0
Introduction
The purpose of these audit plans and internal control questionnaires (ICQs) is to provide the audit, control
and security professional with a methodology for evaluating the subject matter of the ISACA publication
Security, Audit and Control Features Oracle E-Business Suite: A Technical and Risk Management
Guide, 2nd Edition. They examine key issues and components that need to be considered for this topic. The
review questions have been developed and reviewed with regard to COBIT 4.0. Note: The professional
should customize the audit programs and ICQs to define each specific organizations constraints, policies
and practices.
The following are included here:
Oracle Financial Accounting Business Cycle Audit Plan
Oracle Financial Accounting Business Cycle ICQ
Oracle Expenditure Business Cycle Audit Plan
Oracle Expenditure Business Cycle ICQ
Oracle Security Administration Audit Plan
Oracle Security Administration ICQ
Item
#
Control Objective/Test
Page 2
Page 16
Page 20
Page 36
Page 40
Page 53
Documentation / Matters Arising
Comments
CO B I T
Reference
s
A. Prior Audit/Examination Report

Follow-up
ME1
Review prior report, if one exists, and

verify completion of any agreed-upon
corrections.
Note remaining deficiencies
B. Preliminary Audit Steps
Gain an understanding of the Oracle
Applications environment.
The same background information
obtained for the Oracle Applications
Security audit plan is required for and
relevant to the business cycles.
In particular, obtain the following
important information:
1
Version and release of the Oracle

Applications software that has been
implemented
Page 5 of 7
Rev 1.0
Item
#
Control Objective/Test
Documentation / Matters Arising
Total number of named users (for

comparison with logical access
security testing results)
Total number of named users (for

comparison with logical access
security testing results)
Number of Oracle Applications

database instances
Company Codes
Modules (e.g., Finance,

Manufacturing, Marketing
Management, Human Resources,
Project Accounting, Supply Chain
Management and industryspecific) that are being used
Locally developed application

programs, reports or tables
created by the organization
Details of the risk assessment

approach taken in the organization
to identify and prioritize risks
Copies of the organizations key

security policies and standards
10
Outstanding audit findings, if any,

from previous years
Comments
CO B I T
Reference
s
Open and Closed Issues for this Deliverable

Open Issues
ID
Issue
Resolution
Need to provide related

documentation.
Responsibility
Target Date
Impact
Date
Roger Drolet
Page 6 of 7
Rev 1.0
Closed Issues
ID
Issue
Resolution
Responsibility
Target Date
Impact
Date
Page 7 of 7
Rev 1.0

Grcim Oracle Security Admin Audit Plan

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Grcim Oracle Security Admin Audit Plan

Uploaded by

Copyright:

Available Formats

OIC GRCIM

AU.040 ORACLE SECURITY ADMINISTRATION AUDIT

Author - Roger Drolet, CPA, MBA, CISA, CITP

Custom Report............................................................................................................................................ 112

Documentation / Matters Arising

A. Prior Audit/Examination Report

Review prior report, if one exists, and

Version and release of the Oracle

Documentation / Matters Arising

Total number of named users (for

Total number of named users (for

Number of Oracle Applications

Modules (e.g., Finance,

Locally developed application

Details of the risk assessment

Copies of the organizations key

Outstanding audit findings, if any,

Open and Closed Issues for this Deliverable

Need to provide related

You might also like